Following is the first in a series of posts about the Health Insurance Portability and Accountability Act (HIPAA) provided by the Compliancy Group, an ACA corporate partner and ACA’s preferred HIPAA solution.
The Health Insurance Portability and Accountability Act, known as HIPAA, consists of a complex set of regulations that were put in place to protect the privacy and security of patient information. It created standards to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA dictates the proper uses and disclosures of PHI, how PHI should be protected, and what to do in the event of a PHI breach.
Who Does HIPAA Regulate?
HIPAA regulates covered entities and business associates. Covered entities are classified as healthcare providers, health plans, and healthcare clearinghouses. Business associates are businesses that covered entities contract to perform work on their behalf. Some examples of business associates include electronic health records, medical billing services, IT providers, practice management software, and other software providers (i.e. email, messaging services, online appointment scheduling, etc.).
What Information is Protected Under HIPAA?
HIPAA requires the privacy and security of protected health information (PHI) to be maintained. PHI is defined as any individually identifiable health information. PHI can be related to the past, present, or future provision of health care. The Department of Health and Human Services (HHS) further classified PHI into eighteen identifiers:
- Address (including subdivisions smaller than state such as street address, city, county, or zip code)
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
What Are the HIPAA Rules?
There are four main rules within the HIPAA regulations: the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Omnibus Rule.
This Rule defines the proper uses and disclosures of PHI - for treatment, payment, or healthcare operations. The Privacy Rule also includes requirements to limit PHI use and disclosure to the minimum necessary to perform a job function (minimum necessary standard), and to provide patients timely access to their PHI (right of access standard). Under this Rule, covered entities must also provide patients with a Notice of Privacy Practices, clearly explaining how their PHI will be used and disclosed, and defining the patient’s rights in regard to their PHI.
This Rule requires healthcare organizations to maintain the confidentiality, integrity and availability of PHI. Under the Security Rule, electronic PHI must be protected from unauthorized use, disclosure, alteration or destruction. This is accomplished through “reasonably appropriate” administrative, physical, and technical safeguards. For instance, HHS does not expect a sole practitioner to have the same safeguards in place that a large hospital would have.
Breach Notification Rule
This Rule requires breaches affecting PHI to be reported in a timely manner. Breaches may include hacking incidents, theft or loss of an unencrypted device containing PHI, loss or theft of paper records, or unauthorized access or disclosure of PHI (including by staff members). Breaches affecting less than 500 patients must be reported within 60 days from the end of the calendar year (March 1) in which the breach was discovered. These breaches must be reported to the HHS’ Office for Civil RIghts (OCR) and affected patients. Breaches affecting 500 or more patients must be reported within 60 days of discovery. These breaches must be reported to HHS’ OCR, affected patients, and media outlets.
This Rule requires business associates to be HIPAA compliant, and for business associate agreements to be in place. Business associate agreements are contracts that must be executed between a covered entity and business associate—or between two business associates—before any PHI or ePHI can be transferred or shared.
HIPAA and Self-audits
To ensure compliance with the HIPAA Privacy, Security, and Breach Notification rules, covered entities must conduct six self-audits annually. The required self-audits are as follows:
- Security IT Risk Analysis. This requires a security risk analysis to be conducted annually to assess the organization’s cybersecurity practices against HIPAA standards.
- Physical Site. This audit requires policies and procedures to be implemented to limit physical access to electronic devices.
- Asset and Device. This audit requires policies and procedures to be implemented that relate to the security protection of electronic media.
- Privacy Standards. This audit requires policies and procedures to be implemented with respect to use and disclosure of PHI, and for workforce members to be trained on these policies.
- HITECH Subtitle D. This audit requires policies and procedures to be implemented that relate to breach notification, and for workforce members to be trained on these policies.
Compliancy Group is the affordable industry standard for simplified compliance. It was founded in 2005 by former auditors that saw a gap in the market. Before it was founded, small and mid-size business owners were lacking a cost-effective tool to address their compliance. Learn more about HIPAA at compliancy-group.com and on ACA’s website at acatoday.org/HIPAA.
Photo by Monstera from Pexels